January 15, 2013

A global spy ring targeting governmental, diplomatic and scientific research organization computer networks has been uncovered by Kaspersky Lab.

Known as Red October, or Rocra for short, the malware has targeted specific organizations mostly in Eastern Europe, former USSR members and countries in Central Asia, but it has also hit Western Europe and North America, according to a post on SecureList, Kaspersky Lab’s blog.

“Red October is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware,” the blog post reads. “Registration data used for the purchase of C&C domain names and PE timestamps from collected executables suggest that these attacks date as far back as May 2007.”

Kaspersky Security Network compiled a list of countries with the most infections as seen below.

Country

Infections

RUSSIAN FEDERATION

35

KAZAKHSTAN

21

AZERBAIJAN

15

BELGIUM

15

INDIA

14

AFGHANISTAN

10

ARMENIA

10

IRAN; ISLAMIC REPUBLIC OF

7

TURKMENISTAN

7

UKRAINE

6

UNITED STATES

6

VIET NAM

6

BELARUS

5

GREECE

5

ITALY

5

MOROCCO

5

PAKISTAN

5

SWITZERLAND

5

UGANDA

5

UNITED ARAB EMIRATES

5

The malware is sent by means of a spear-phishing e-mail to target specific victims within an organization. Once downloaded, the infected files release a trojan on the PC which then scans the local network to uncover other computers vulnerable to the same attack.

The malware downloads modules that can later perform a number of “tasks,” often as .dll libraries. The infected device will then obey instructions from the command center and then immediately destroy the evidence.

Modules are also often installed on an infected system to steal data from Windows Mobile devices, iPhones and Nokia handsets. Once a mobile device is connected to the victim’s machine, the modules start collecting data from the phone.

“During our investigation, we’ve uncovered over 1,000 modules belonging to 30 different module categories,” the blog reads. “These have been created between 2007 with the most recent being compiled Jan. 8, 2013.”

Information collected from infected networks is often reused in later attacks, according to Kaspersky. In one instance, stolen credentials were stockpiled for use when the attackers needed to guess passwords and network credentials in other locations.

Red October is able to spy and steal in a number of ways, which Kaspersky has broken down into two groups: persistent tasks and one-time tasks.

Examples of persistent tasks:

• Once a USB drive is connected, search and extract files by mask/format, including deleted files. Deleted files are restored using a built in file system parser.

• Wait for an iPhone or a Nokia phone to be connected. Once connected, retrieve information about the phone, its phone book, contact list, call history, calendar, SMS messages, browsing history.

• Wait for a Windows Mobile phone to be connected. Once connected, infect the phone with a mobile version of the Rocra main component.

• Wait for a specially crafted Microsoft Office or PDF document and execute a malicious payload embedded in that document, implementing a one-way covert channel of communication that can be used to restore control of the infected machine.

• Record all the keystrokes, make screenshots.

• Execute additional encrypted modules according to a pre-defined schedule.